-
Notifications
You must be signed in to change notification settings - Fork 104
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
MsCorePkg/SecureBootKeyStoreLib: Add Library implementation (#377)
## Description Adds SecureBootKeyStoreLib which provides secureboot key store options by consuming fixed at build PCDs that represent the Pk, Db, 3PDb, Kek, and Dbx. - [x] Impacts functionality? - Adds 5 new PCDs to represent the Pk, Db, 3PDb, Kek, and Dbx, which are consumed by SedcureBootKeyStoreLibOem when configuring SecureBoot. - [ ] Impacts security? - **Security** - Does the change have a direct security impact on an application, flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter validation improvement, ... - [ ] Breaking change? - **Breaking change** - Will anyone consuming this change experience a break in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call a function in a new library class in a pre-existing module, ... - [ ] Includes tests? - **Tests** - Does the change include any explicit test code? - Examples: Unit tests, integration tests, robot tests, ... - [ ] Includes documentation? - **Documentation** - Does the change contain explicit documentation additions outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation on an a separate Web page, ... ## How This Was Tested Verified secureboot is properly enabled on Qemu35Pkg for Microsoft and Microsoft 3rd party. ## Integration Instructions Generate the following PCDs for your platform DSC: 1. gOemPkgTokenSpaceGuid.PcdDefaultKek 2. gOemPkgTokenSpaceGuid.PcdDefaultDb 3. gOemPkgTokenSpaceGuid.PcdDefault3PDb 4. gOemPkgTokenSpaceGuid.PcdDefaultDbx 5. gOemPkgTokenSpaceGuid.PcdDefaultPk It is highly suggested, but not required, that each pcd is generated by running BaseTools `BinToPcd` over the binary blobs created in [secureboot_objects](https://github.com/microsoft/secureboot_objects), then including them in the platform's DSC file. --------- Co-authored-by: Michael Kubacki <[email protected]>
- Loading branch information
Showing
4 changed files
with
131 additions
and
0 deletions.
There are no files selected for viewing
36 changes: 36 additions & 0 deletions
36
MsCorePkg/Library/BaseSecureBootKeyStoreLib/BaseSecureBootKeyStoreLib.inf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
## @file - BaseSecureBootKeyStoreLib.inf | ||
# Copyright (C) Microsoft Corporation. All rights reserved. | ||
# SPDX-License-Identifier: BSD-2-Clause-Patent | ||
# | ||
|
||
[Defines] | ||
INF_VERSION = 0x00010005 | ||
BASE_NAME = BaseSecureBootKeyStoreLib | ||
FILE_GUID = 02EEF9DA-5557-4090-BFF5-E07EF0344805 | ||
VERSION_STRING = 1.0 | ||
MODULE_TYPE = BASE | ||
LIBRARY_CLASS = SecureBootKeyStoreLib | ||
|
||
# | ||
# The following information is for reference only and not required by the build tools. | ||
# | ||
# VALID_ARCHITECTURES = IA32 X64 AARCH64 | ||
# | ||
|
||
[Packages] | ||
MdePkg/MdePkg.dec | ||
SecurityPkg/SecurityPkg.dec | ||
MsCorePkg/MsCorePkg.dec | ||
|
||
[Sources] | ||
SecureBootKeyStoreLib.c | ||
|
||
[LibraryClasses] | ||
PcdLib | ||
|
||
[FixedPcd] | ||
gMsCorePkgTokenSpaceGuid.PcdDefaultKek # CONSUMES | ||
gMsCorePkgTokenSpaceGuid.PcdDefaultDb # CONSUMES | ||
gMsCorePkgTokenSpaceGuid.PcdDefault3PDb # CONSUMES | ||
gMsCorePkgTokenSpaceGuid.PcdDefaultDbx # CONSUMES | ||
gMsCorePkgTokenSpaceGuid.PcdDefaultPk # CONSUMES |
74 changes: 74 additions & 0 deletions
74
MsCorePkg/Library/BaseSecureBootKeyStoreLib/SecureBootKeyStoreLib.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
/** @file SecureBootKeyStoreLib.c | ||
Copyright (C) Microsoft Corporation. All rights reserved. | ||
SPDX-License-Identifier: BSD-2-Clause-Patent | ||
**/ | ||
|
||
#include <Uefi.h> | ||
#include <UefiSecureBoot.h> | ||
|
||
#include <Guid/ImageAuthentication.h> | ||
|
||
#include <Library/SecureBootVariableLib.h> | ||
#include <Library/PcdLib.h> | ||
|
||
SECURE_BOOT_PAYLOAD_INFO mSecureBootPayload[] = { | ||
{ | ||
.SecureBootKeyName = L"Microsoft Only", | ||
.KekPtr = (CONST UINT8 *)FixedPcdGetPtr (PcdDefaultKek), | ||
.KekSize = (CONST UINT32)FixedPcdGetSize (PcdDefaultKek), | ||
.DbPtr = (CONST UINT8 *)FixedPcdGetPtr (PcdDefaultDb), | ||
.DbSize = (CONST UINT32)FixedPcdGetSize (PcdDefaultDb), | ||
.DbxPtr = (CONST UINT8 *)FixedPcdGetPtr (PcdDefaultDbx), | ||
.DbxSize = (CONST UINT32)FixedPcdGetSize (PcdDefaultDbx), | ||
.PkPtr = (CONST UINT8 *)FixedPcdGetPtr (PcdDefaultPk), | ||
.PkSize = (CONST UINT32)FixedPcdGetSize (PcdDefaultPk), | ||
.DbtPtr = NULL, | ||
.DbtSize = 0, | ||
}, | ||
{ | ||
.SecureBootKeyName = L"Microsoft Plus 3rd Party", | ||
.KekPtr = (CONST UINT8 *)FixedPcdGetPtr (PcdDefaultKek), | ||
.KekSize = (CONST UINT32)FixedPcdGetSize (PcdDefaultKek), | ||
.DbPtr = (CONST UINT8 *)FixedPcdGetPtr (PcdDefault3PDb), | ||
.DbSize = (CONST UINT32)FixedPcdGetSize (PcdDefault3PDb), | ||
.DbxPtr = (CONST UINT8 *)FixedPcdGetPtr (PcdDefaultDbx), | ||
.DbxSize = (CONST UINT32)FixedPcdGetSize (PcdDefaultDbx), | ||
.PkPtr = (CONST UINT8 *)FixedPcdGetPtr (PcdDefaultPk), | ||
.PkSize = (CONST UINT32)FixedPcdGetSize (PcdDefaultPk), | ||
.DbtPtr = NULL, | ||
.DbtSize = 0, | ||
} | ||
}; | ||
|
||
/** | ||
Interface to fetch platform Secure Boot Certificates, each payload | ||
corresponds to a designated set of db, dbx, dbt, KEK, PK. | ||
@param[in] Keys Pointer to hold the returned sets of keys. The | ||
returned buffer will be treated as CONST and | ||
permanent pointer. The consumer will NOT free | ||
the buffer after use. | ||
@param[in] KeyCount The number of sets available in the returned Keys. | ||
@retval EFI_SUCCESS The Keys are properly fetched. | ||
@retval EFI_INVALID_PARAMETER Inputs have NULL pointers. | ||
**/ | ||
EFI_STATUS | ||
EFIAPI | ||
GetPlatformKeyStore ( | ||
OUT SECURE_BOOT_PAYLOAD_INFO **Keys, | ||
OUT UINT8 *KeyCount | ||
) | ||
{ | ||
if ((Keys == NULL) || (KeyCount == NULL)) { | ||
return EFI_INVALID_PARAMETER; | ||
} | ||
|
||
*Keys = mSecureBootPayload; | ||
*KeyCount = ARRAY_SIZE (mSecureBootPayload); | ||
|
||
return EFI_SUCCESS; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters